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ACCESS CONTROL PROTOCOL BETWEEN AN ELECTRONIC 
KEY AND AN ELECTRONIC LOCK 

The present invention relates to an access control 
5 protocol between an electronic key and an electronic lock 
effecting logical access control . 

Logical control of access to buildings, to premises 
containing data processing systems or systems storing 
assets, fiduciary, technology or information assets, is 
10 currently of great and increasing interest. 

Access control methods usually employ a portable 
access element functioning as a key, referred to as the 
accessing resource, and an access resource functioning as 
a lock. 

15 Logical access control between an accessed resource 

functioning as an electronic lock and an accessing 
resource functioning as an electronic key currently 
consists of a succession of operations to verify 
information or messages exchanged between the electronic 

2 0 key and the electronic lock. 

One of the main advantages of logical access 
control, compared to conventional physical access control 
of the lock-and-key type, is the facility to allow access 
to an accessed resource only within a predetermined short 
25 time period. 

However, if the system comprising the accessing 
resource and the accessed resource provides one or 
several accessing resources allowing access to several 
accessed resources through similar logical access 

3 0 control, counterfeiting during the validity time period 

of either an electronic key functioning as the accessing 
resource or the access control dialogue between one of 
the electronic keys and one of the access resources 
functioning as an electronic lock can then allow 
35 illegitimate access to all of the accessed resources. 
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Merely reproducing the logical access control dialogue 
between the accessing resource and one of the accessed 
resources allows such illegitimate access through a 
procedure referred to as "playback" . 

A conventional solution that has been implemented 
with the aim of responding to any such illegitimate use 
applies logical access control based on cryptographic 
mechanisms to limit the period of validity of the right 
of access to a short period, to foil illegitimate use 
outside the validity time period in the event of loss, 
theft or illicit holding of the electronic key. One such 
solution, described in French Patent Application No. 
2 722 596 (94 08770) in the name of FRANCE TELECOM and LA 
POSTE and published 9 January 1996, establishes a digital 
signature of the time period during which access is 
authorised. Access to the accessed resource is 
conditional on verification of the aforementioned digital 
signature within the accessed resource. 

Another conventional solution implemented with the 
same aim, more particularly to respond to playback, uses 
a random variable to introduce a variability or diversity 
characteristic into the access control dialogue between 
the key and the electronic lock. A solution of this kind 
would appear to have limitations because the random 
nature of the random variables obtained by means of the 
usual random or pseudo- random generators is not totally 
satisfactory unless one or more external physical 
variables of a purely random nature are used and because 
non- repetitive production of such random numbers is not 
certain, and will therefore not discourage highly skilled 
hackers who are determined to succeed and who have access 
to powerful computation resources. 

In any event, the aforementioned solutions are 
therefore unable to prevent with certainty either 
illegitimate use of an electronic key or playback during 
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the validity time period of an accessed resource. 

Other solutions have been proposed. Application 
EP-A-727 894 describes a system based on secret key 
cryptography. These systems raise the problem of key 
management as key certificates cannot easily be used. 
Patent application EP-A-807 911 describes a system based 
on secret key and public key cryptography using cyphering 
techniques. A public key certificate encyphered by means 
of a secret key is sent. The secret key used is itself 
sent encyphered with the public key of the recipient. 

The object of the present invention is to remedy the 
aforementioned drawbacks of prior art solutions. 

An object of this kind is achieved in particular by 
integrating into the logical access dialogue between an 
accessing resource and at least one accessed resource a 
process of authentication of the accessing resource by 
the accessed resource and making authorisation or refusal 
of access conditional on a successful outcome of the 
authentication process. 

Another object of the present invention is 
consequently to use an access control protocol between an 
accessing resource consisting of an electronic key and an 
accessed resource consisting of an electronic lock in 
such a way that the authentication process is conducted 
in accordance with a challenge -and- response protocol and, 
in a particularly remarkable manner, the risk of the 
electronic key being compromised is further and 
significantly reduced to that caused by the presence in 
the electronic key of a simple right of access. 

A final object of the present invention is to 
prevent all risk of picking an electronic lock by 
playback in a given validity time period because of the 
very existence of the authentication process. 

The access control protocol according to the 
invention between an electronic key and an electronic 




3 AMENDED SHEET 

lock performing said access control is remarkable in 
that, following presentation of the electronic key to the 
electronic lock, the protocol consists of transmitting a 
random variable message prompting authentication of the 
5 electronic key from the electronic lock to the electronic 
key. On receiving the random variable message prompting 
authentication, a signature value of the random variable 
message prompting authentication and specific 
authentication data are transmitted from the electronic 
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key to the electronic lock, the signature value 
transmitted being calculated from a private signature key 
and the specific authentication data. After reception by 
the electronic lock of the signature value and the 
specific authentication data, the electronic lock 
verifies the authenticity of the signature value as a 
function of the specific authentication data. In response 
to a positive or negative result of said verification 
access is accepted or respectively refused. 

The access control protocol in accordance with the 
invention between an electronic key and an electronic 
lock can be applied to all types of accessing resource 
and to all types of accessed resource. 

Because the risk of playback is eliminated, 
calculating the signature value of the random variable 
message prompting authentication, making determination of 
that signature improbable in the absence of physical 
possession of the electronic key generating it, the 
protocol according to the present invention would appear 
to be particularly well suited to the secure management 
of a plurality of accessed resources, such as mailboxes, 
or even strongboxes, by means of one or more accessing 
resources, or electronic keys, enabling legitimate access 
to each of the accessed resources, the number of 
electronic keys being very much less than the number of 
mailboxes or strongboxes. 

The invention will be better understood after 
reading the following description and referring to the 
accompanying drawings, in which: 

figure la shows a general block diagram of the 
access control protocol in accordance with the present 
invention between an electronic key and an electronic 
lock; 

figure lb shows a sequential flowchart of the 
succession of steps for implementing the access control 
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protocol in accordance with the present invention between 
an electronic key and an electronic lock; 

figure Ic shows a preferred embodiment of a 
signature verification procedure used by an electronic 
5 lock (accessed resource) in accordance with the protocol 
according to the present inventions- 
figure Id shows one example of a mode of 
operation for obtaining a random variable message 
providing an authentication process in accordance with 
10 the protocol according to the present inventions- 
figure le shows a procedure carried out by an 
electronic key for auxiliary verification of a public key 
enabling the electronic key to perform the random 
variable message signature operation in the context of 
15 the protocol according to the present inventions- 
figure If shows one example of a method of 
reducing picking of an electronic lock outside at least 
one validity time period conforming to the protocol 
according to the present invention; 

2 0 - figure Ig shows a particularly advantageous 

variant of the auxiliary verification process shown in 
figure le in which, if the electronic key has an internal 
clock, an additional security feature consisting of total 
invalidation of the electronic key is provided for 
25 situations in which access is attempted outside the 
validity time period; 

figure 2a shows a first advantageous variant of 
the protocol according to the present invention which 
avoids storing a second public key in each electronic 

3 0 lock, which increases the overall security level of the 

system as a whole; 

figure 2b shows a sequential flowchart of the 
steps of the protocol shown in figure 2a; 

figure 3a shows a block diagram of the 
35 electronic architecture of an electronic key for 
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implementing the access control protocol according to the 
present invention; and 

figure 3b shows a block diagram of the 
electronic architecture of an electronic lock for 
5 implementing the access control protocol according to the 
present invention . 

An access control protocol in accordance with the 
present invention between an electronic key and an 
electronic lock providing logical access control will now 
10 be described in more detail with reference to figures la 
and lb. 

The access control protocol according to the present 
invention consists of a logical access control dialogue 
between the electronic key and at least one electronic 

15 lock, this logical access control incorporating a process 
of authentication of the electronic key by the electronic 
lock in order to authorise or refuse access. The 
authentication process uses message and/or data signature 
calculation and signature verification operations 

20 verifying the authenticity of the aforementioned messages 
or data. 

By way of non- limiting example, the signature 
calculation operations followed by the signature 
verification operations included in the protocol 

2 5 according to the present invention can be based either on 

a secret key signature algorithm or on a public key 
algorithm using a private signature key associated with a 
public signature verification key. 

The signature calculation and signature verification 

3 0 operations for implementing the access control method 

according to the present invention are described 
hereinafter in connection with one non- limiting preferred 
embodiment of the invention using an encryption or 
signature algorithm employing at least one public key and 
35 one private key, the algorithm being the RSA algorithm 
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developed by RIVEST, SHAMIR and ADLEMAN, for example. 
Other public key algorithms can be used without 
disadvantage . 

Employing the usual terminology, in the context of 
5 the signature calculation and signature verification 
processes, if a public key algorithm is used, any 
signature key is a private key, which must be kept 
secret, whereas any signature verification key is a 
public key, which can be divulged. However, if a secret 
10 key algorithm is used and the secret key can be used as 
an encryption key to carry out a signature operation, a 
key of this kind and the signature verification key must 
be secret keys . 

By convention, for any private key used to calculate 
15 a signature, the notation used for the calculation of the 
signature obtained by application of the private key Kg by 
the signature algorithm used, i.e. the RSA algorithm in 
the context of this example, is: 
Sks(A,B,C) 

2 0 Likewise, the notation used for any signature 

verification operation effected by applying the public 
key Kp associated with the private key Kg to the 
aforementioned signatures or signed messages X,Y,Z, the 
signature being a digital message, is: 
25 Vkp(X,Y,Z) 

In any signature calculation operation, respectively 
signature verification operation, A,B,C, respectively 
X,Y,Z, designates the arguments subjected to the 
signature operation, respectively signature verification 

3 0 operation, these arguments consisting of messages or 

data, of course, as previously mentioned. 

By definition, the verification operation using the 
public key Kp applied to a signature obtained by means of 
a private key Kg applied to an argument A and taking A as 
35 an input parameter produces a Yes/No verification 
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response. This verification is written: 
- Vkp(Sks(A) ,A) = Yes/No. 

If message re-establishing algorithms are used for 
the signature and signature verification operations, such 
as the RSA algorithm, a verified value VA of the argument 
A is obtained, and is supposedly equal to the argument A 
itself, of course. 

To be more specific, to enable the use of the access 
control protocol according to the present invention, the 
electronic key and the electronic lock are each provided 
with modules Caj, and Ca^ for calculating and memorising 
data, to enable storage in memory of any message 
necessary for the identification process, calculation of 
the signatures and verification of the signatures to 
enable use of the authentication process. The suffixes k 
and i represent a physical reference or address allocated 
to an electronic key and to an electronic lock, 
respectively . 

In figure la and the subsequent figures, an 
electronic key EK^j is used to implement the access 
control protocol according to the invention. The suffix k 
corresponds to a serial number or identifying number of 
the electronic key itself. The suffix j corresponds to a 
validation operation reference or address for the 
electronic key EK^^, as described in more detail later. 
Each electronic key EK^j is therefore provided with a 
calculation module Ca^ and a message transmission module 
Tj,, represented by a wire antenna connected to the 
calculation unit Ca^, the wire antenna enabling 
transmission of messages by electromagnetic means, for 
example . 

The same applies to each electronic lock. Figure la 
shows a set of electronic locks B^, to B^, each 

electronic lock Bi having a calculation and memory module 
Cai and a transmission module T^ represented by a wire 
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antenna and enabling electromagnetic transmission and 
reception of messages or data, for example. 

In the event of an attempt to access a lock using 
a key EK^j^ the respective wire antennas and are 

5 brought face -to- face to enable the exchange of messages 
for assuring the previously mentioned logical access 
control . 

Generally speaking, in figure la, as in all the 
figures accompanying this description, in any general 

10 block diagram including various actors of the access 
control protocol according to the invention, any 
transaction, i.e. any exchange of messages between 
actors, is represented by an arrow extending from one of 
the actors to the other. 

15 If an operation is effected internally, by the 

actors, that operation is represented by a closed arrow 
indicating internal execution for the actor concerned. 

Finally, any transaction between two actors 
performed as an antecedent to implementation of the 

2 0 protocol according to the present invention is 

represented by a dashed line arrow. 

The access control protocol according to the present 
invention between an electronic key and an electronic 
lock is implemented under the control of a certification 
25 authority shown diagrammatically in figure la and 
responsible for general management of the set of 
electronic keys EKj^^j and the set of electronic locks 
accessible by means of at least one of the electronic 
keys . 

3 0 As shown in figure la, the certification authority 

can consist of a signature entity which is approved to 
choose and define a private key Kg in the context of 
execution of the signature algorithms previously referred 
to. The private signature key Kg is therefore chosen by 
3 5 the signature entity and this signature key is neither 
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communicated nor divulged to any other actor authorised 
to use the access control protocol according to the 
present invention . 

The certification authority further comprises a 
5 validation entity which can be separate from the 
signature entity but is related to it hierarchically. The 
signature entity communicates to the validation entity 
the public key Kp associated with the private key Kg and 
authentication data DAj which in fact consists of the 

10 signature using the private key Kg held by the 
certification authority of a certain number of arguments, 
including in particular a second public key K'p, a time 
period value PHj associated with the second public key K' p 
and, for example, specific auxiliary data AUX. In the 

15 remainder of the description, the time period PHj is 
referred to as the validity time period. 

The second public key K'p is associated with a 
private key K'g- The initiative for choosing the second 
private key K'g and the second public key K'p can be 

20 accorded to the validation entity. 

To implement the access control protocol according 
to the present invention, each electronic key EK^j is 
subjected to a validation operation Vj consisting of 
loading and/or downloading the data parameters and 

2 5 messages held by the validation entity and needed to 

implement the access control protocol according to the 
present invention into the memory circuits of each of the 
aforementioned electronic keys EKj^j . The operation Vj is 
therefore shown in chain-dotted line in figure la, 

3 0 because it is carried out before the first use of a 

particular electronic key, of course. During this 
operation, the authentication data DAj and the second 
private key K'g are loaded into the memory circuits of 
each electronic key EK,^j and appropriate memory circuits 
3 5 for the data and the key are preferably provided in the 
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calculation unit Caj,, the memory circuits including at 
least one protected memory area whose level of protection 
substantially corresponds to that of the protected memory 
areas of a smart card, for example, in order to store the 
5 second private key K'g in a secure manner. The 
authentication data DAj is specifically loaded before one 
or more uses of the electronic key EKj^j . 

Thus each electronic key EKj^j , which is unusable 
before any validation operation V^, is in fact replaced by 

10 an operational electronic key EKj^j, the suffix j 
designating the reference to the authentication data DAj 
associated with the aforementioned electronic key, and in 
particular the validity time period of the second private 
key K's and the second public key K'p associated with that 

15 time period. 

Also, the validation operation Vj consists of 
loading or downloading into each key EK^j the first public 
key Kp corresponding to the first private key Kg held by 
the certification authority. Specifically, the first 

2 0 public key Kp is loaded once only into each electronic key 
EKj^j before one or more successive uses, according to the 
key management policy defined by the certification 
authority for each application concerned. 

A step Vi (figure la) of validating each electronic 

2 5 lock Bi consists of storing in memory and loading and/or 

downloading into the memory circuits of each calculation 
unit Cai the first and second public keys Kp, K'p referred 
to previously. 

After the aforementioned validation operations 

3 0 and Vi, the access control protocol according to the 

present invention can be conducted between a validated 
electronic key EK^j and any electronic lock Bi that has 
also been validated, as previously mentioned. 

Any attempt at access by an employee holding an 
35 electronic key EKj,. entails that person bringing together 
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the respective transmission units and of the 

electronic key and the electronic lock. 

This having been effected (by way of non-limiting 
example) between the key and the lock Bi shown in figure 
5 la, the electronic key EKj,j sends the electronic lock Bi 
an identification request message Aj^^. The identification 
request message can be an identification number specific 
to the electronic key EK^j, for example. Following 
verification of the identification request message Aj^,i, 

10 the electronic lock Bi can implement the access control 
protocol according to the present invention, as described 
hereinafter. The aforementioned verification operation 
can simply consist of verifying the value of the message 
communicated against reference values. 

15 Referring to the aforementioned figure, the access 

control protocol according to the present invention 
consists at least of transmission from the electronic 
lock Bi to the electronic key EKj,j of a random variable 
message aij prompting authentication of the electronic 

20 key, after reception by the electronic lock Bi of the 
identification request message Aj^-i sent to it by the 
accessing electronic key. 

Following reception by the electronic key of the 
random variable message aij prompting authentication, the 

2 5 key calculates a signature value Ci of the random variable 
message prompting authentication. In figure la, this step 
is denoted: 

Ci = Sj^.g (aij ) . 

Given the convention indicated, the signature value of 
30 the random variable message prompting authentication is 
obviously obtained from the second private key K'g. It is 
clear in particular that the signature operation Ci in 
respect of the random variable message prompting 
authentication aij in fact establishes the right of access 
35 of the electronic key to the electronic lock for the true 
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value of that signature. It is further clear, in 
accordance with one particularly advantageous aspect of 
the protocol according to the present invention, that the 
right of access is modified for each transaction and each 
5 attempted access. 

Following this signature calculation step, the 
electronic key EK^j transmits to the electronic lock 
the signature Ci and specific authentication data DAj, the 
data being specific to the validity time period PH^ of the 
10 second private key K'g and the second public key K' p 
associated with that validity time period, of course. The 
aforementioned transmission operation is denoted C^, DTLj 
in figure la. 

Following reception by the electronic lock Bi of the 
15 signature value Ci and the specific authentication data 
DAj, the electronic lock Bi verifies the authenticity of 
the signature value as a function of the specific 
authentication data, as shown by a closed arrow in figure 
la. In the same manner as previously, the aforementioned 
20 verification operation by the electronic lock Bi is 
denoted Vj^^'p ( (^i, DAj ) , Kp, K' p) = Yes/No. 

Given the convention previously adopted, it is clear that 
the aforementioned verification step is effected by 
applying the first and second public keys Kp, K'p, taken 

25 as parameters. The application of the aforementioned keys 
can also restore verified values of the random variable 
message transmitted by the electronic lock Bi to the 
electronic key and the specific authentication data DAj. 
The verification operation enables the electronic lock Bi 

30 to decide to accept or refuse the requested access, 
according to whether they are authentic or not. Thus in 
the event of a positive result (Yes) of the 
aforementioned verification step, access is allowed 
whereas in the event of a negative result (No) access is 

35 refused. 
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A sequential description of the access control 
protocol according to the invention, as shown by the 
general block diagram in figure la, will now be given 
with reference to figure Ib. 
5 In figure lb, step 1000 represents the step of 

transmission by the electronic key EK^j of the 
identification request message A^i . That step is followed 
by a step 1001 representing the transmission of the 
random variable message aij by the electronic lock Bi to 

10 the electronic key EK^j . The next step 1002 represents, 
based on the initial validation data Vj, and successively, 
the calculation of the random variable message signature 
Ci and transmission of the signature and the specific 
authentication data DAj . The preceding step 1002 is itself 

15 followed by the step 1003, effected by the electronic 
lock and based on the initial validation data V^, of 
verifying the authenticity of the signature value, 
according to the specific authentication data. 

By way of non- limiting example, and for simplicity, 

2 0 the aforementioned verification step can generate a 
verification variable V, itself corresponding to a logic 
value 0 or 1, i.e. to the Yes or No result mentioned 
previously. This being the case, step 1003 is then 
followed by a step 1004 which is carried out at the level 

2 5 of the electronic lock to verify the true value of the 

verification logic variable V or the Yes, No result. The 
true value of the latter leads to authorisation of access 
(step 1006) whereas the absence of a true value leads to 
refusal of access (step 1005) . 

3 0 With regard to the nature of the specific 

authentication data DAj transmitted by the electronic key 
EKj,j to the electronic lock B^, as shown in figure la, the 
data consists of at least a public key certificate 
associated with the private signature key K'g. The public 
35 key certificate consists of a digital signal value of at 
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least one validity time period PHj relative to a right of 
access and the second public key K'p. 

Accordingly, given the convention previously 
indicated, the specific authentication data DAj 
5 corresponds to the signature S^g of various arguments such 
as the second public key K'p associated with the private 
signature key K'g, at least one time period PHj associated 
with the second public key K'p, the specific 
authentication data Daj being obtained by application of 

10 the private signature key Kg of the signature entity. In 
particular, it is clear for example that various time 
period values can be used, for example by employing a 
diversity program for choosing a specific time period 
from among several such periods. 

15 Note, however, that apart from the two second public 

key arguments K'p and PHj previously mentioned, another 
argument relating to the auxiliary data AUX can be 
subjected to the aforementioned signature operation S^s- 
The auxiliary data can advantageously comprise, although 

20 this is not limiting on the invention, a serial number of 
the associated electronic key EK^j, that serial number 
representing a code of the suffix k indicative of the 
aforementioned electronic key. Other digital values or 
data can be transmitted by the electronic key, by way of 

25 the field relating to the auxiliary data, as described 
later . 

The transmission steps 1000, 1001 and the 
transmission substep of step 1002, as shown in figure lb, 
are performed by the transmission systems of the 
30 electronic key EK^j and the lock Bi, denoted by the 
reference Ti in the case of the lock. 

Finally, in one advantageous embodiment of the 
access control protocol according to the present 
invention, the step of transmitting the electronic key 
3 5 EKkj to the electronic lock B^, shown in figure la and 
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referenced 1002 in figure lb, can consist of transmitting 
the second public key K'p obtained from the authentication 
data DAj, for example, in addition to the signature value 
Ci of the random variable message prompting authentication 
5 and the authentication data DAj. For this reason, the 
second public key K'p is shown in parentheses during the 
transmission step shown in figure la and referenced 1002 
in figure lb. In a case like this, it is naturally not 
necessary to store the second public key K'p in memory in 

10 the electronic lock during the operation to validate 
each electronic lock B^. The first public key Kp is then 
used during the operation of verifying the authentication 
data Vkpk'p (Ci, DAj) to attest to the authenticity of the 
second public key K'p transmitted. 

15 Generally speaking, the step of verification of the 

authenticity of the signature value by the electronic 
lock can be effected by means of a secret key when the 
signature calculation operation is based on that secret 
key or another secret key or a public key if the 

2 0 signature operation is based on a private key. 

A more detailed description of the verification step 
1003 effected by the electronic block will now be given 
with reference to figure Ic, in the specific but non- 
limiting situation of using a message re-establishing 

25 algorithm such as the RSA algorithm. 

As shown in the aforementioned figure, the 
verification step 1003 includes, in succession, a first 
verification step 1003a effected by the electronic lock 
Bi, this verification consisting of verifying the 

30 authenticity of the specific authentication data DAj 
against reference data comparison criteria stored 
previously in the memory circuits of the electronic key 
EK^j . It is clear in particular that applying the first 
public key Kp available to the signature S^s provides a 

35 verified value of the public key K'p associated with the 
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private signature key K'g, given the conventions referred 
to above, the verified public key value denoted VK'p, and 
a verified value of the time period PHj . The auxiliary 
data is also reproduced when auxiliary data is 
transmitted by means of the argument AUX in the signature 

^KS • 

Accordingly, and in a manner that is not limiting on 
the invention, the reference data stored in the memory 
circuits of the electronic key EK,^j does not correspond 
only to the second public key K' p associated with the 
private signature key K's# the time period value PHj and, 
where applicable, the serial number of the key, which can 
be stored in a protect read-only circuit. The verified 
values following the operation of verifying the reference 
values can then be compared by a simple equality 
comparison 1003a. In step 1003a there is merely shown the 
equality test on the verified value of the second public 
key VK'p against the stored value of the second public key 
K ' p , 

In the event of a positive result of the 
aforementioned comparison in step 1003a, a second 
verification is performed by the electronic lock Bi in 
step 1003b. As shown in the aforementioned figure, this 
second verification consists of verifying the signature 
value of the random variable message prompting 
authentication. 

Given the previous conventions, the second 
verification is denoted: 

VK'p(Ci) = VK,p(SK.s(aij) ) . 
Clearly during this second verification step performed in 
step 1003b, a verified value Vaij is obtained for the 
random variable message prompting authentication. The 
verified value of the random variable message prompting 
authentication can then be compared with the random 
variable message prompting authentication aij, which will 
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have been stored beforehand in the memory circuits of the 
electronic block B^, of course. 

Thus it is clear that the second verification of the 
signature value is conditional on verification of the 
5 second public key K' p associated with the private 
signature key K'g and therefore, in the final analysis, on 
the aforementioned specific authentication data DA^ . 

Generally speaking, the first verification of the 
authenticity of the specific authentication data, 

10 represented in step 1003a in figure Ic, can consist of 
checking the validity time period PH^ associated with the 
second public key K'p. By applying the first public key Kp 
to the signature S^s (K' p, PH^ , AUX) , the verification step v^p 
enables the value of the validity time period PHj 

15 associated with the second public key K'p to be obtained, 
alone, of course. 

As shown in figure Id, the random variable message 
prompting authentication aij mentioned above can depend on 
an identification value CBi of the electronic lock. It can 

20 correspond to a serial number or a coded arbitrary number 
allocated to the aforementioned electronic lock Bi. 

As also shown in figure Id, the random variable 
message aij can also depend on a continuously increasing 
variable count value CO which can correspond to a date 

25 value expressed as a year Y, month M, day D, hour H, 
minute m and second s . 

It is clear, for example, that the field CBi and the 
field CO relating to the identification value of the 
electronic lock and to the continuously increasing 

3 0 variable value can be coded on the same number of bits, 
for example 32 or more bits, in which case each field can 
be combined bit-by-bit on the basis of a logical 
composition law ®, for example, to generate a component 
rij of the random variable message prompting 

35 authentication, as shown in figure Id. The composition 
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law is an exclusive-OR operation, for example. The random 
variable message aij is then obtained by concatenating the 
component rij and the fields CBi and CO. This coding 
method guarantees that the random variable message 
5 obtained is not repetitive. 

Although the field relating to the serial number of 
the electronic lock CBi can be given by any protected 
memory element available in the memory circuits of the 
aforementioned electronic lock, the count value CO can be 

10 delivered either by an incremental counter or by an 
internal clock available in each electronic lock. Using 
an incremental counter has the advantage of simplifying 
the circuits required to implement each electronic lock. 

One particularly advantageous embodiment of the 

15 access control protocol according to the present 
invention between an electronic key and an electronic 
lock will now be described with reference to figure le. 

Figure le shows the electronic key EK^j as shown in 
figure la, for example. However, in addition to the 

20 calculation circuits Caj, associated with the 
aforementioned electronic key, the key has an internal 
clock CK. The internal clock delivers a clock signal VCK 
to the corresponding calculation unit Caj^. 

This being so, and as shown in figure le, the 

25 protocol according to the present invention further 
consists of an auxiliary verification step 1007 for 
verifying authorisation of signature calculation for the 
random variable message prompting authentication. The 
auxiliary verification step is carried out by the 

3 0 electronic key EK^j following reception of the random 
variable message prompting authentication aij in step 
1001, as shown in figure la, but before the step of 
calculation and transmission of a signature value by the 
electronic key, as shown in step 1002 in the 

35 aforementioned figure. 
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The auxiliary verification step 1007 consists of 
using the first public key Kp to check the public key 
certificate and the validity time period PHj associated 
with the aforementioned second public key K' p against the 
5 internal clock. 

Given the above conventions, and taking the second 
public key K'p as a parameter, the verification operation 
is denoted: 

- VKp(SKs(K'p,PHj,AUX) ,K'p) = Yes/No 

10 However, using a message re-establishment algorithm leads 
to an operation denoted: 

- VKp(SKs(K'p,PHj,AUX) ) 

which produces the verified value VK'p of the second 
public key which can be compared to the value of the 

15 second public key K'p, as previously mentioned. 

The aforementioned verification step then provides 
the verified value of the validity time period PHj. The 
value of the clock signal VCK is compared to the validity 
time period PHj to verify the validity of the second 

20 public key K'p with which the aforementioned validity time 
period is associated. For example, the value of the clock 
signal VCK for a given validity time period can be 
compared to the limits which define the aforementioned 
validity time period PHj. 

25 Step 1007a is followed by a step 1007b consisting of 

verifying the association of the second private signature 
key K's with the second public key K'p whose validity was 
verified in the preceding step 1007a. The association 
verification operation carried out in step 1007b can 

30 consist of calculating a signature Sk,s(X) obtained by 
applying the second private signature key K'g to a random 
variable X generated by the electronic key EKj^j (see 
figure le) . A verification step applied to the 
verification signature value (Sk.s(X) then constitutes the 

35 association verification step, the verification applying 
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to the signature calculated previously and being denoted: 
Vk'p(S^,3{X)) . 

This verification step produces a verified value VX of 
the random variable X in step 1007b. A test which 
5 compares the verified value VX of the random variable X 
with the previously stored random variable X determines 
the validity of the association of the second private 
signature key K'g with the second public key K'p, whose 
validity was verified in the preceding step 1007a. 

10 Verifying that the validity time period PH^ is 

compatible with the clock signal VCK, that the verified 
value VK'p of the second public key K'p is identical to 
the value of the second public key K'p, and that the 
verified value of the random variable VX is identical to 

15 the value of the random variable X constitutes a test 
which, if the result is positive (step 1007c, see figure 
le) , enables the protocol according to the present 
invention to continue (step 1007e) , which is followed by 
the signature of the random variable message prompting 

2 0 authentication aij (step 1002) . In the event of a negative 
result, the aforementioned protocol is interrupted (step 
1007d) . 

Performing the verification operations 1007a and 
1007b using the message re-establishment signature 

2 5 verification algorithms, such as the RSA algorithm, 

previously referred to can preferably be carried out when 
the second public key K'p is transmitted, in the 
subsequent step of transmitting the electronic key EK^j to 
the electronic lock Bi- In any other case, in the absence 

3 0 of such transmission, the verification operation can be 

reduced to an operation of the following type, taking the 
second public key K'p as parameter: 

- Vj,p(SKs(K'p,PHj,AUX) ,K'p) = Yes/No 

What is more, the protocol according to the present 
3 5 invention can be adapted to limit all attack outside of 
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the validity time period PHj associated with the second 
public key K'p. 

To this end, as shovm in figure If, during the step 
of verification by the electronic lock Bi of the 
5 authenticity of the signature value (step 1003 in figure 
la and more particularly steps 1003a and 1003b in figure 
Ic) , following the first step 1003a of verifying the 
authenticity of the specific authentication data DAj, 
consisting of checking the validity time period 

10 associated with the second public key K'p, but prior to 
the second verification step 1003b shown in figure Ic, a 
plurality of tests (1003ai, figure If) can be carried out 
to limit all attack outside the aforementioned validity 
time period. In figure If, the plurality of tests is 

15 represented, in a manner that is not limiting on the 
invention, as a comparison, within the aforementioned 
validity time period, of the count value CO delivered by 
the electronic lock or, where applicable, a time signal 
delivered by a clock when the electronic lock has a 

20 clock. To be more specific, this test can consist of 
comparing the count value CO to limits defining the 
aforementioned validity time period PHj, for example. If 
the count variable CO or the corresponding time signal is 
not inside the validity time period, the electronic lock 

25 Bi refuses any attempt at access. Other tests limiting 
attack outside the validity time period can be 
considered. 

With regard to tests for limiting all attack outside 
a particular time period PHj, a preferred non-limiting 

3 0 embodiment will be described hereinafter in the situation 
where the electronic key has a real-time clock. At the 
time of any attempt at access, if the verification step 
such as the step 1007a has been effected validly at the 
level of the electronic key EK,^j, in particular the test 

35 for the compatibility of the time variable delivered by 
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the clock signal VCK with the time period PHj, the current 
time variable VCK delivered by the real time clock is 
stored in the electronic key EK^j . 

During the step of transmitting the electronic key 
5 EKj^j to the electronic lock Bi, shown in Fig. la and 
referenced 1002 in Fig. lb, the time variable VCK is 
transmitted in addition to the signature value Ci and the 
authentication data DAj, and the second public key K'p 
where applicable. For this reason the time variable is 
10 shown in brackets. 

The subsequent verification steps can then be 
performed in the electronic lock B^. 

As shown in figure If, for a count value CO 
delivered by a counter in the electronic lock Bi, a count 
15 value at the time of the attempt at access and a 
reference value VC^-^f corresponding to a count value at 
the time of a previous attempt at access, for example, 
are stored in the lock. 

For a time period PHj reduced to a time interval 
2 0 [VHi, VHJ , it is verified that the time variable VCK 
stored in memory and transmitted is after VHi and before 
VH2 and also that VCK is after VC^ef- If any of the 
foregoing verifications is not satisfied, access to the 
lock Bi is barred. It is accepted otherwise. 

2 5 Of course, and in a manner that is not limiting on 

the invention, the time period PHj can comprise a 
plurality of non-contiguous time intervals. In this case, 
the time period PHj can be expressed in the form of a 
union of time intervals, in which U represents the UNION 

3 0 operator: 

PHj = [VHi, VHJ U [VH3, VHJ U ... U [VH^.^, VH„] 
The limits which delimit each time interval can 
advantageously each be expressed as a date in the form 
day, month, year and a time in the form hour, minute, 
35 second. 
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To confer a very high level of security on the 
access control protocol according to the present 
invention, even more strict measures can be applied, in 
particular at the level of the electronic key EK^j , to 
5 limit further risk of fraudulent use of the electronic 
key, in particular if it is lost or stolen. To this end, 
as shown in figure Ig, the step 1002 shown in figure la 
of calculating a signature value of the random variable 
message prompting authentication can be preceded by a 

10 signature authorisation auxiliary verification step, 
repeating some parts of the verification step 1007 shown 
in figure le, but increasing the security level of the 
verification by introducing a step of self -invalidation 
of the electronic key EKj^j under conditions explained 

15 below. 

The electronic key EK^j includes a clock CK 
delivering a clock signal VCK required for implementing 
the auxiliary verification step shown in figure Ig, in 
the same manner as in the case of implementing the 

20 auxiliary verification step of figure le. 

This being so, as shown in figure Ig, the auxiliary 
verification step 1007 comprises a step of checking that 
a time variable, the clock signal VCK delivered by the 
real time clock CK, is inside the validity time period 

25 PHj. Clearly, to this end, the step 1007a shown in figure 
Ig corresponds substantially to the step 1007a shown in 
figure le . 

Likewise the step 1007b shown in both of the 
aforementioned figures . 
30 In the case of figure Ig, the step 1007c of figure 

le is in fact subdivided into two sub-steps 10070^ and 
1007C2/ for example. 

The step 1007Ci consists of testing that the time 
variable VCK delivered by the real-time clock is inside 
35 the validity time period PHj. If the result of the test in 
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Step 1007Ci is positive, step lOOTCj compares the verified 
value VK'p of the second public key K' p to the value of 
the second public key K'p and the verified value VX of the 
random variable X to the aforementioned random variable 
5 X, for example. 

If the result of the test in step 1007Ci is 
negative, for example, in other words if the time 
variable VCK is not inside the time period PHj, the 
protocol according to the present invention consists of 

10 executing a step lOOTCj which invalidates the electronic 
key EKkj . The invalidation step IOO7C3 then leads, of 
course, to a step 1007d of interrupting the access 
control protocol according to the present invention, on 
the grounds that the electronic key cannot be used. 

15 Various techniques can be used to invalidate the 

electronic key EKj,j, such as short-circuiting the supply 
voltage of the electronic circuits, i.e. the calculation 
circuit Ca^ of the electronic key, and dissipating all of 
the electrical energy powering those circuits, or where 

2 0 applicable setting one or more switch-off variables for 
inhibiting the operation of the electronic key concerned. 

On the other hand, if the result of the test in step 
1007C2 shown in figure Ig is positive, the protocol 
continues (step 1007e, i.e. step 1002 of calculating the 

2 5 signature of the random variable prompting authentication 

aij as shown in figure la) . 

Variants of the access control protocol according to 
the present invention are naturally feasible, in 
particular to assure an optimum level of security, both 

3 0 at the level of each electronic key EKj^^ and at the level 

of each electronic lock B^. 

Figure 2a shows a variant of the access control 
protocol according to the present invention which is 
particularly noteworthy in that no second public key K'p 
3 5 is stored in memory in each electronic lock B^. 
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To this end, firstly, the operation of validating 
each electronic lock Bi consists of a validation operation 
Vi in which only the first public key Kp is stored in the 
memories of the calculation units of each electronic lock 
5 Bi. 

Secondly, the operation Vj of validating each 
electronic key EK,,^j consists of transmitting only the 
specific authentication data DAj and the second private 
signature key K'g. The second private signature key K'g is 

10 transmitted and stored in the memories of the calculation 
circuits Caj^ of the electronic key EK^j . 

During attempted access, in accordance with the 
protocol according to the present invention, the steps of 
transmitting the access request identification message Aj^.i 

15 and the random variable message prompting authentication 
aij from the electronic lock B^ to the electronic key EKj,j 
are unchanged. 

On the other hand, the step 1002 previously 
described of calculating the signature value of the 

20 random variable message prompting authentication a^j is 
modified in the following manner. The authentication data 
is verified first, this verification being denoted 
Vj^(SKs(K'p,PHj,AUX) ) . 

With the preceding convention, the second public key 

25 K'p is restored, which enables the signature value 
= SK's^^ij) of the random variable message to be 
calculated on the basis of the available second private 
signature key K'g. Because the signature value is 
available and stored in memory, the operation of 

30 transmitting the signature Ci of the random variable 
message prompting authentication, the specific 
authentication data DAj and the second public key K'p to 
the lock Bi can be carried out . 

The protocol according to the present invention is 

35 then resumed at step 1003 of figure la for example by the 
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lock Bi. 

All the verification steps, followed by the steps of 
calculating the signature values Ci, followed by the 
aforementioned transmission, are represented in steps 
1002a, 1002b, 1002c of figure 2b, prior to execution of 
the step 1003 previously mentioned. 

There follows a description with reference to 
Figures 3a and 3b of the architecture of an electronic 
key and an electronic lock for implementing the access 
control protocol according to the present invention. 

Figure 3a shows an electronic key EKj,j which has a 
cryptographic calculation module Ca^, a message or data 
transmission module and a transmit/receive wire antenna 
Tj,, as previously described. The cryptographic calculation 
module comprises, in addition to a central processor unit 
CPU, a protected access memory area 1 for storing at 
least one signature value of a validity time period 
allocated to the electronic key, that signature value 
corresponding of course to the specific authentication 
data DAj previously mentioned. The protected access memory 
area 1 is also used to store a signature verification 
key, the first public key Kp, i.e. the aforementioned 
signature, consisting of the specific authentication 
data. It also stores a signature key, the second 
signature key K's mentioned previously. This embodiment 
corresponds to the embodiment of the protocol according 
to the present invention shown in figure la. 

The cryptographic calculation model Ca„ also 
includes a read-only memory (ROM) 2 enabling the central 
processor unit CPU to call programs for calculating the 
signature value of a random variable message, i.e. the 
message a.^^ previously mentioned, and for signature 
verification on the basis of the signature keys, 
respectively signature verification keys, i.e. the keys 
K's and Kp previously mentioned. The read-only memory 2 of 
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the key stores programs for calculating signature values 
of the random variable message and verifying signatures 
on the basis of the signature keys K'g and signature 
verification keys Kp, K'p, as in the flowcharts shown in 
5 figures le and Ig previously described. 

In addition to the above, and depending on the 
embodiment of the protocol according to the present 
invention used, the cryptographic calculation module Caj, 
includes a clock 3, for example, delivering the clock 
10 signal VCK to the central processor unit CPU and, of 
course, a scratchpad random access memory (RAM) 4. 

Finally, the system has a serial port PS for 
implementing the validation step Vj previously mentioned. 

With regard to the electronic lock Bi shown in 
15 figure 3b, it has, of course, a cryptographic calculation 
module Cai and a message transmission/reception module Ei 
both associated with an antenna Ti which is shown as a 
wire antenna in figure 3b, without this being limiting on 
the invent ion . 

2 0 The cryptographic calculation module Cai includes a 

protected access memory area in addition to a central 
processor unit CPU. The protected access memory area is 
used to store at least one public signature verification 
key, i.e. the first piablic key Kp and the second public 
25 key K'p in the embodiment of the protocol according to the 
present invention shown in figure la, or respectively to 
store a single public key, i.e. the first public key K'p 
in the embodiment of the protocol according to the 
present invention shown in figures 2a and 2b. 

3 0 What is more, a read-only memory 6 connected to the 

central processor unit enables the central processor unit 
to call signature verification programs based on the 
public key or keys Kp, K'p previously mentioned. The read- 
only memory 6 stores signature verification programs, for 
35 example, whose flowchart corresponds to that shown in 
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figures Id, Ic and If previously described. Similarly, a 
counter 7 or if necessary a real-time clock and a serial 
port PS are provided. 

An access control protocol between an electronic key 
5 and an electronic lock has therefore been described, the 
electronic lock applying access control in a particularly 
powerful manner in that the electronic key, which has 
cryptographic potential, is able to authenticate its 
attempt to access each of the accessed electronic locks. 

10 A protocol of the above kind would appear to be of 

major benefit because the operation of signature by the 
key of the random variable message prompting 
authentication constitutes a variable right of access, 
changing on each transaction, so that playback is 

15 prevented. 

Finally, the protocol according to the present 
invention can be used to optimise the overall security 
level in that a single signature verification public key 
can be stored in each electronic lock. It constitutes a 

20 secure method of access control. The optimisation is 
adapted to suit the application. 

The protocol according to the present invention and 
the electronic key and the electronic lock for 
implementing the protocol would appear to be particularly 

25 suitable for management by approved employees of 
strongboxes or mailboxes, for example. 



